jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
alertDetailsOverride:
alertSeverityColumnName: EventSeverity
alertTacticsColumnName: Tactics
alertDynamicProperties:
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: Techniques
value: Techniques
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
relevantTechniques:
name: Jamf Protect - Alerts
severity: High
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
tactics:
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
version: 1.0.6
kind: NRT
entityMappings:
- fieldMappings:
- columnName: DvcHostname
identifier: HostName
- columnName: DvcOs
identifier: OSFamily
- columnName: DvcOsVersion
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: Host_IPs
identifier: Address
entityType: IP
- fieldMappings:
- columnName: TargetProcessCurrentDirectory
identifier: CommandLine
- columnName: TargetProcessId
identifier: ProcessId
entityType: Process
- fieldMappings:
- columnName: algorithm
identifier: Algorithm
- columnName: TargetBinarySHA256
identifier: Value
entityType: FileHash
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
createIncident: true
customDetails:
Protect_Event_Type: EventType
Protect_Analytic: EventMessage
TargetbinarySign: TargetbinarySignerType
TargetBinarySigner: TargetBinarySigningTeamID
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Related_Binaries: TargetBinaryFilePath
Protect_Tags: Tags
Related_File_hash: TargetBinarySHA256
JamfPro_Status: JamfPro
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
suppressionDuration: PT5H
status: Available
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
